Blog Post

A step-by-step guide to making CISPA suck less

The Cyber Intelligence Sharing and Protection Act is a lot like your old college buddy who used to get way too drunk and then puke in your lap: it claims to mean well, but its actions suggest otherwise. With its passage by the House of Representatives on Thursday, though, CISPA is one step closer to becoming law. Your old college buddy wants to work at your company, and he wants you to put in a good word.

It’s tough to figure out whether that’s good news or bad news. Maybe he’s changed and it will be a lot of fun to work together. Maybe CISPA could actually be used primarily for the legitimate cause of fighting cyber attacks, and critics are just reading too much into its myriad vagaries.

Just to make sure, though, here’s a step-by-step guide Congress can follow in order to quell any concerns about how CISPA will be used.

Step 1: Figure out what you actually want

Stopping cyber attacks is a noble goal, but it’s a tad broad. This is especially true when it comes to information pertaining to said cyber attacks, which could mean anything from system-level data related to attempted attacks, to emails about hacking activity. Considering that CISPA covers the entirety of U.S. businesses and organizations, the types of information that could be shared are seemingly limitless.

That’s what has CISPA opponents up in arms, so narrow it down. They might not mind anyone sharing server logs illustrating suspected hacking incidents, but emails, phone records, download activity, you name it — well, that’s a little much.

Step 2: Let’s see some conditions

In the current version of CISPA, information sharing — and then government action upon that information — is conditionless. Everyone shares only they want to, and then they pretty much do what they want with it. The government can’t use data for regulatory purposes, but it can otherwise act upon it under the rather broad definitions of cybersecurity and national security.

Opponents might actually feel better about such broad sharing permissions if they were conditioned on the presence of specific characteristics that justify the need to share (e.g., a direct threat against a particular system, or more than passing similarities with previous attack methods). And if the government has authority to act upon any info it receives, there should be conditions on what actions it can take under what circumstances.

Step 3: Lose the black box

This is probably the bill’s single biggest flaw: there’s no accountability to anybody for anything. Not only is the information shared under this bill free from existing laws mandating the disclosure of agency records, but — and here’s the kicker — “[n]o civil or criminal cause of action shall lie or be maintained … against [anybody], acting in good faith for using cybersecurity systems or sharing information in accordance with this section.”

This goes hand-in-hand with Steps 1 and 2. Narrow what can be shared and how it can be acted upon, under what circumstances, and then have penalties in place for violations. Otherwise, the bill reads “spy with impunity,” and very few people — not even the President — are getting on board with that.

Step 4: If all else fails, make it longer

As anyone who has read CISPA might have noted, it’s a pretty short bill. But when you’re talking about complex issues, such as privacy, you can’t simply do away with nuance and detailed explanations. Sorry, Justice Scalia.

If someone just sits down in front of CISPA — a whopping 15 pages of center-aligned text in large font — and starts writing literally anything, the bill has to get better. The current legislation is so vague as is that extra text that doesn’t somehow expand the scope of the rules couldn’t make it worse.

Step 5 (for citizens): Contact your senators

Sarcasm aside, this is serious stuff. As I’ve explained before, CISPA isn’t going anywhere because, unlike SOPA, it has actually has redeeming qualities. More importantly, it has powerful backers across Congress, industry and even the web.

What’s troubling now is that the House had a chance to amend the bill to address its shortcoming, but only did so with a few relatively toothless additions, and then passed CISPA in a surprise vote. Assuming the Senate won’t be willing to kill the bill entirely, concerned citizens must contact their senators and point out specific problems with the bill and how they might be improved.

If CISPA becomes an all-or-nothing issue, then the powers representing all will win. Let’s see if the web can learn to compromise.

3 Responses to “A step-by-step guide to making CISPA suck less”

I think the best thing the Senate can do for this country is vote this bill down and send it back to the House with the following message:
“This bill is atrocious and was passed under questionable circumstances in a questionable manner with extremely partisan support.

Rewrite this bill with the support of both parties, the American People, Internet Citizens, and business support. Quit playing politics with this country’s laws and do your job or don’t send us anything.”

I agree, but I don’t see that happening. And if debate stretches into election season, the president will have to answer challenges that he’s against cybersecurity, fighting child pornography and whatever else the bill claims to accomplish.

I really think compromise is the answer here, but that absolutely has to mean some restrictions on what’s allowable and what the bill covers.